RIP IDA – decision time

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

It's April 2016 and some time in the next few days or hours someone has to decide whether to declare that GDS's GOV.UK Verify (RIP) system is live.

Whose decision is it? And what does "live" mean?

"Live" must mean something. We can't have another débâcle like GDS's 25 transformational exemplars, when eight exemplars had gone live 800 days after GDS gave themselves 400 days for the project but, if you added in the nine exemplars that were in public beta, then that meant 17 were live, call it a round 20.

Let's assume that "live" means no longer in beta testing, it means that GOV.UK Verify (RIP) is now in operation, it's being relied on, the relying parties are committed, the safety net's been rolled up and stowed away, GOV.UK verify (RIP) is on its own, it's out there in full view, there's no alternative, alea iacta est.

Relied on by whom?

• Not the Scots. They've got their own identity assurance system for access to public services.
• Not local government. They don't need GDS, who are still working on their model for local government.
• Not the NHS. They've explicitly rejected GOV.UK Verify (RIP).
• Not DWP. They've got enough problems with Universal Credit. And they remember the promise that identity assurance for 21 million claimants would be "fully operational from Spring 2013".

That leaves HMRC. As usual.

As we repeatedly discover, "on-line access to public services" means on-line access to HMRC.

What are the chances of anyone deciding that HMRC should depend on GOV.UK Verify (RIP)?

Nil.

GOV.UK Verify (RIP) still can't verify the identity of a company. So it can't be used to collect corporation tax, for example, nor the bulk of PAYE, NI and VAT. For that, HMRC will have to continue to rely on the Government Gateway.

But GOV.UK Verify (RIP) is meant to be able to verify the identity of individuals. What are the chances of anyone deciding that HMRC should depend on GOV.UK Verify (RIP) and switch off the Government Gateway at least for individuals?

The enormity of that decision makes it clear that it won't be taken by DCMS, who have somehow inherited nominal responsibility for the national IT digital strategy from BIS. And it won't be taken by GDS either.

GDS is in the Cabinet Office. The permanent secretary, John Manzoni, is also the CEO of the civil service. He starts to look senior enough to be involved in the decision. So does Matt Hancock, the Cabinet Office minister.

But only involved. HMRC also would have to be party to the decision. And the Treasury. Which means not just the permanent secretary at the Treasury but the Chancellor of the Exchequer as well. So now we're into the Cabinet. And the Cabinet Secretary, Sir Jeremy Heywood.

This decision is going to have to be taken by a team of senior ministers and their top officials.

It's an unenviable job.

The decision team might look at the criteria established a year ago in GOV.UK Verify [RIP]: Objectives for live. There, GDS set out six objectives that have to be achieved before GOV.UK Verify (RIP) can go live:

Criterion/objective		Outcome
1	Readiness for services to adopt GOV.UK Verify (RIP)	GDS claim that there are nine public services currently available through GOV.UK Verify (RIP). The true figure might generously be seven. GDS sometimes claim that there will be 50 public services available through GOV.UK Verify (RIP) this month but they also row back from that figure to some smaller, unknown number. Who knows who's ready for what?
2	Demographic coverage: 90% for services using GOV.UK Verify (RIP) by April 2016	Relying, as it does, on credit history information, passports and driving licences, GOV.UK Verify (RIP) has had particular trouble registering the very young and the very old. There is no sign that those problems have been solved. According to GDS, the solution lies in using more personal information to identify people. They have never said what additional personal information they have in mind and we have no idea whether people would consent to the intrusion. Who knows what the demographic coverage rate is?
3	Success rate: 90%	63%. Allegedly. That's the authentication success rate. Meanwhile, the authentication completion rate languishes at 33%. Neither figure is anywhere near the 90% minimum required specified.
4	Everyone can use GOV.UK Verify (RIP) to access services	No. Some people refuse to use it. Among the willing, some don't have the IT skills. Among those willing who have the IT skills, they don't all have access to viable broadband. Not everyone has a live-looking credit history and a passport and a driving licence. GDS's assisted digital initiative has never made any headway. There is no hope whatever that everyone can use GOV.UK Verify (RIP) to access either the public services or the private sector services GDS have been vainly lobbying.
5	A range of high quality certified companies for people to choose from	Their quality is a matter of opinion. The nine "identity providers" promised fell to eight when PayPal pulled out. Verizon have been hacked and are currently out of action which takes us down to seven. Of those seven "identity providers", only three are certified and no-one's ever heard of two of them, trustworthy though they may be. All the "identity providers" want to collect colossal amounts of personal information and share it with other companies all over the world out of the owners' control. Why would people choose any of them just to check the points on their driving licence?
6	The product and service are scaled, resilient and operationally ready for live	Who knows?

Quite rightly, GDS have never had to take a decision of national importance. The decision team are likely to have very different criteria. But even by GDS's own lights, the decision now can't possibly be yes, GOV.UK Verify (RIP) is ready to go live. Just look at the table above. The decision team have careers and reputations to consider. And there is something called "the national interest", to which they will not be blind.

The decision team might decide to take the traditional Whitehall route and delay the live date. But delay it for how long? A month obviously isn't long enough. Three months? Six months? GOV.UK Verify (RIP) has already been in development for four years and in beta for two. What reason is there to believe that matters will have improved in six months time? How many more "identity providers" will walk away in the meantime? What miracle or magic needs to take place? What needs to change? And if someone knows the answer to that, why hasn't it already been changed?

The decision team might even take the radical option and decide to cancel GOV.UK Verify (RIP) now. Bow to the inevitable. The first cut is the deepest. Stop-loss. TSR2. GDS set out to avoid the creation of a national identity register, as required by a feature of the disgraced ID cards scheme, and ended up trying to create nine national identity registers (or eight of them or seven, however many "identity providers" we have left).

The decision team could take the Government Gateway away from DWP, who have been poor custodians, and give it to someone else to improve, not the Home Office, maybe HMRC. Or they could give the identity assurance job to Scotland. But not Estonia. Or – think back to Taurus and Crest – they could get the Bank of England to sort something out, probably with the banks, who have on-line identity assurance systems and experience coming out of their ears.

There's face-saving to consider, of course. And not just nationally – blatant log-rolling has seen GDS celebrated abroad and credited with the creation of copycat operations in the US, Australia and now Argentina which in turn validates GDS as the hip option for the politician who wants to be seen as transformative and modern. It remains the case that, the sooner the decision team act radically, the less the loss of face.

----------

Updated 6.4.16

Hard to believe but the decision has been taken.

We know that because Neil Merrett told us yesterday GOV.UK Verify [RIP] on course for live service switchover this month.

GDS caught up today: "We and the certified companies are now working towards our next milestone - going from beta to live later this month".

Verizon have now limped back into action, registering new victims of GOV.UK Verify (RIP).

GDS say that "having a range of high quality certified companies for people to choose from is one of our objectives for live". They have these objectives, none of them have been met, please see above, but GOV.UK Verify (RIP) is to be inflicted on the public nonetheless.

Talking of all eight "identity providers", GDS are "sure their solutions are secure". Barclays, on the other hand, say "the internet is not completely secure ... we cannot guarantee the security of your data ... we will ... try to prevent unauthorised access". They can't both be right.

GDS will "continue to help GOV.UK Verify [RIP] work for more people". That's not going very well, as we were saying only this morning:

GOV.UK Verify (RIP) tends to exclude individuals with a low income, people outside the managerial and professional classes, the unemployed, the very young, the very old, urbanites, women and Northerners. And for everyone else, even theoretically, it's still miles away from the 100% identity verification rate you might, if you're old-fashioned, associate with public provision.

What is the probability today that GOV.UK Verify (RIP) can verify your identity? According to GDS:

GDS want to go live even though they know that between 20 and 30 percent of low-paid individuals can't register for a GOV.UK Verify (RIP) account. So much for putting the user first, these people will be excluded by default from public services.

Updated 13.4.16

"... no reason for GOV.UK Verify [RIP] to be used ..."

The Privacy and Consumer Advisory Group (PCAG) have devised guidelines under nine headings for the privacy aspects of GOV.UK Verify (RIP). The Government Digital Service (GDS) claim to abide by all nine while actually abiding by none of them.

Hat tip someone, the minutes of PCAG's 10 February 2016 meeting have been published. It would be a pleasure to write several thousand words commenting on the matters arising but let's concentrate on item 2.4:

GROUP BUSINESS - ONS Census (Terry Makewell, Jo Neagus - ONS) Following a presentation on the potential use of GOV.UK Verify [RIP] for the 2021 Census, Group members recommended that there was no reason for GOV.UK Verify [RIP] to be used on this occasion given that the Census is a count of households rather than individuals and that it would be inappropriate to do so.  However, the Group further suggested that GOV.UK Verify [RIP] could be used for other surveys run by ONS, but that this would be a separate discussion and the potential role of Verify would depend on the specific surveys under consideration.

In five years time the Office for National Statistics (ONS) will conduct the 2021 UK census. We have been prepared ever since the 2011 census to see new methods used.

Digital methods. 2021's will be a digital-by-default census. The census will be a service resting on one of GDS's data-sharing platforms, underpinned by a canonical population register compiled, surely, by GOV.UK Verify (RIP).

No. The decision has been taken. The ONS will do its census. It won't rely on GOV.UK Verify (RIP). For whatever reason, GOV.UK Verify (RIP) is out of the running.


Updated 15.4.16

GDS work tirelessly to improve everyone's lot. They tinker around with the front end of GOV.UK Verify (RIP) like top hairdressers trimming and shaping and layering, always seeking to retain a certain look while everything under their expert hands is actually alive and constantly changing.

There was Todd Anderson, for example, telling us the other day in GOV.UK Verify: [RIP] Technical delivery update, 11 April 2016 that "to improve GOV.UK Verify [RIP] and make it better for end users, since our last update we’ve … added new journeys to the hub to reflect the new features released by the certified companies".

Keen-eyed stylewatchers will have spotted some of the primping done on the registration dialogue for new victims of GOV.UK Verify (RIP). For example this screen ...

... used to ask victims to confirm that they are aged 19 or over. That was before 12 April 2016. Now it's 20. And that makes it "better for end users".

Think about it.

According to the Office for National Statistics (ONS), the breakdown of the UK population by age and by sex in mid-2014 was something like:

Source: Office for National Statistics

Notes:

Ages above 105 are not included on the population pyramid.

The ONS's data sheet estimated that there were 790,575 19 year-old victims in the UK in 2014 and that there will be 864,872 by 2039. Let's say there are roughly 800,000 of them at the moment.

What Sweeney Todd Anderson and his team have done is to reduce the GOV.UK Verify (RIP) universe by 800,000. Just like that, they've excluded 800,000 people from the possibility of getting on-line accounts which would allow them to transact with government.

GOV.UK Verify (RIP) already had a problem reaching its target 90% coverage. It's languishing at the moment around the 67% mark. GDS have just chopped another 1.2% off GOV.UK Verify (RIP)'s reach.

These are enormous decisions to take. And they're being taken -- in the modern, transformed, agile Whitehall way -- by the hairdressers of GDS.


Updated 18.4.16

An ex-maths teacher writes:

A  The Government Digital Service (GDS) say that the demographic coverage for services using GOV.UK Verify (RIP) must be 90% if the system is to go live in April 2016.

B  At the same time, GDS are trying to dissuade anyone under the age of 20 from registering:

The Office for National Statistics (ONS) estimated that there were 15,259,986 people under the age of 20 in the UK in mid-2014 and that there would be 16,647,588 of them by mid-2039. Those figures represent 23.62% and 22.41% of the ONS's estimated UK population, respectively.

B implies that it is impossible for GOV.UK Verify (RIP) to achieve a coverage of 90% and A implies that it is therefore impossible for the system to go live in April 2016.

Despite professing its virtues, GDS seem to be strangers to data science.

N The ex-maths teacher's contribution isn't very impressive, is it. GOV.UK Verify (RIP) is no use for age verification of the young. We already knew that. Otherwise, five year-olds don't need to view their driving licence details or apply for rural payments, for example, so it doesn't matter if they're excluded.

RIP IDA – decision time

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

It's April 2016 and some time in the next few days or hours someone has to decide whether to declare that GDS's GOV.UK Verify (RIP) system is live.

Whose decision is it? And what does "live" mean?

RIP IDA – not good enough for the NHS and not good enough for you

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

This is what the Government Digital Service (GDS) have to say about the security of GOV.UK Verify (RIP). It's secure. And it stops someone pretending to be you. And it fights the growing problem of on-line identity theft.

The splash screen you see if you bravely register for one of GDS's GOV.UK Verify (RIP) accounts

HSCIC
Health and Social Care Information Centre
We are the trusted national provider of high-quality information, data and IT systems for health and social care.

But it's not quite as clear-cut as that. According to Computer Weekly magazine, Gov.uk Verify [RIP] not secure enough for NHS, says HSCIC.

Not only that, but "The government’s Verify identity verification platform isn’t secure enough for the NHS, so Liverpool Clinical Commissioning Group and HSCIC are working to add extra levels of security".

NHS Liverpool CCG
National Health Service Liverpool Clinical Commissioning Group (CCG) is responsible for planning and buying most NHS services for the people of Liverpool …

And "Liverpool Clinical Commissioning Group (CCG) is working to make the government's identify authentication platform secure enough for the NHS to use".

Why do Computer Weekly keep banging on about security? Because Rob Shaw of HSCIC told them there is a security problem with GOV.UK Verify (RIP), "we absolutely have to make sure it’s secure enough" and "Verify is not quite there in terms of the level of security we’ll need in terms of the health services" and "we’re likely to take it to the next level in terms of security".

The Cabinet Office helpfully chimed in with "We take our users’ privacy and the security of their data very seriously and the new system is safer and more secure than previous ways of proving who you are online".

Followed by Dave Horsfield of the Liverpool CCG, "the programme is about giving patients access to their records for whatever purpose they want, securely and easily".

Apparently "the NHS is worried that Verify won’t be, or won’t come across as, secure enough for people’s health records ... we’ve got an extra layer in health where people are very worried about security".

In case you haven't been counting, that's ten 12 occurrences of the word "secure" and its cognates. Anyone would think there's a security problem with GOV.UK Verify (RIP). The sheer weight of repetition must have overwhelmed most readers into believing that.

@DMossEsq @GOVUKverify concerns about identity proofing? i.e. health records have risks from spouse / parents which don't apply to i.e. tax? — Jim Gumbley (@jgumbley) March 28, 2016

But not Jim Gumbley. This Liverpool business is not an example of a security problem, Jim says. It's an identity-proofing problem. And that 's different.

It's wrong in that case to say that GOV.UK Verify (RIP) isn't secure enough for the NHS. Better to say that it's not good enough at stopping people from pretending to be you. Or that it's lost the fight against the growing problem of on-line identity theft.

Mr Horsfield thinks he may be able to solve the GOV.UK Verify (RIP) problem with a combination of social media and biometrics – the triumph of hope over experience.

Jim's right. As usual. Identity-proofing and security are two different things and shouldn't be confused.

It remains the case that GDS's splash screen is wrong and that GOV.UK Verify (RIP) isn't "good" enough for the NHS. So it isn't good enough for any other "relying party" like HMRC or DWP either. Or for a bank. Or for a criminal court. Or even for a civil court. And it's certainly not good enough for you.

RIP IDA – not good enough for the NHS and not good enough for you

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

This is what the Government Digital Service (GDS) have to say about the security of GOV.UK Verify (RIP). It's secure. And it stops someone pretending to be you. And it fights the growing problem of on-line identity theft.

The splash screen you see if you bravely register for one of GDS's GOV.UK Verify (RIP) accounts

HSCIC
Health and Social Care Information Centre
We are the trusted national provider of high-quality information, data and IT systems for health and social care.

But it's not quite as clear-cut as that. According to Computer Weekly magazine, Gov.uk Verify [RIP] not secure enough for NHS, says HSCIC.

RIP IDA – Verizon

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

The Government Digital Service (GDS) claimed until recently that they had nine "identity providers" through whom we proles could register an account with GOV.UK Verify (RIP).

Then PayPal bolted. One minute you see them. Next minute they're gone.

PayPal gave no explanation. Neither did GDS.

Whatever, GDS were then down from nine to eight "identity providers". Or should that be seven?

@Verizon have diasappeared from @govukverify's list of "identity providers".@gdsteam mistake? Or something else? pic.twitter.com/h6xtfcjiLw — David Moss (@DMossEsq) March 7, 2016

@DMossEsq Verizon are preparing their service under the new contract. More news on this soon. They remain available for existing users. — GOV UK Verify (@GOVUKverify) March 8, 2016

@GOVUKverify, @Experian seem to have moved to Framework 2 Ts & Cs without shutting the shop, why can't @verizon? How long does it take? — David Moss (@DMossEsq) March 10, 2016

@GOVUKverify, @verizon are taking a spookily long time about it. The "new contract" is a year old. When can we expect them back on the list? — David Moss (@DMossEsq) March 9, 2016

@GOVUKverify, still no sign of @Verizon coming back on stream. It's been two weeks now. Have they bolted, like @PayPal? — David Moss (@DMossEsq) March 21, 2016

@verizon unavailable for 2 weeks to new @govukverify victims & no cogent explanation from the "open" @gdsteamhttps://t.co/jQeDVBECKk — David Moss (@DMossEsq) March 23, 2016

Some time on or before 7 March 2016, Verizon disappeared from GDS's list of GOV.UK Verify (RIP) "identity providers". They'd been there before. Then they weren't.

Why?

On 8 March 2016 GDS tweeted their first and last attempt at an answer: "Verizon are preparing their service under the new contract. More news on this soon. They remain available for existing users".

The "new contract" referred to is Framework 2. It's been well over a year since the terms of Framework 2 were known.

GDS presumably expect us proles to believe that Verizon are so incompetent that, unlike any other "identity provider", they have to take their service down for several weeks just to change their terms and conditions.

That looks so unlikely by way of an explanation that the unsatisfied mind starts to look for other explanations.

On 7 March 2016 ElReg reported Verizon fined just $1.4m for stalker supercookies.

Verizon were fined for using supercookies. What? "That means that over time, it is possible to ... build a strong profile on a particular individual, which advertisers then use to show you so-called relevant adverts".

Is that why Verizon had gone dark GOV.UK Verify (RIP)-wise? "Nah", said security expert Peter Bance, par for the course, already priced in, that's just how Verizon operate, bit of an eye-opener for us proles maybe but not for GDS, Her Majesty's public officials in the know.

GDS tell us that GOV.UK Verify (RIP) is needed to help us view our driving licence details. So Verizon are involved because they want nothing more than for us to view our driving licence details?

Not exactly. Verizon are quite open about it: "Ultimately, we don’t see ourselves as a data provider; we see ourselves as an ad platform that helps brands and consumers connect".

But if Verizon haven't bolted like PayPal, and if it isn't the Framework 2 terms and conditions, and it isn't the shame of being caught using supercookies and the derisory fine of $1.4 million, then what is the reason for Verizon's temporary absence from the host of "identity providers"?

Note first that Verizon already have their GOV.UK Verify (RIP) service approved by tScheme, the experts in trustworthiness. What's more (hat tip: someone), they've applied for tScheme certification of a second identity proofing service. It doesn't look as if they intend to bolt.

Note also that Verizon's GOV.UK Verify (RIP) problems go back to before 7 March 2016. "Verizon have identified an issue within their environment", it said on 26 February 2016 (hat tip: someone), "there will be a short period of downtime to implement an emergency change". That's on GDS's GOV.UK Verify (RIP) status log,

The emergency was over 102 minutes later according to the log and Verizon were fully operational again. Except that four weeks later they're not.

Note finally security expert Brian Krebs's latest revelation, Crooks Steal, Sell Verizon Enterprise Customer Data: "Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise ... Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site".

That's more like it. That's more like an explanation for Verizon taking their GOV.UK Verify (RIP) registration site down for four weeks. Their security has been breached and 1½ million of their customers are now at more risk than usual as a result.

GDS are always blithely optimistic about security:

GOV.UK Verify (RIP) – "It's secure". No qualification. It's secure and that's all there is to it.

No. No-one believes that and it's a mystery why GDS keep saying it.

It's a false prospectus. Just ask Verizon. GDS's claim amounts to luring in the innocent. GOV.UK Verify (RIP) would never be admitted to the London Stock Exchange's Daily Official List if their broker came along with a whopper like that.

Mystery cleared up, Verizon have gone dark because they've been taken to the cleaners.

Don't let the same happen to you.

According to Verizon's GOV.UK Verify (RIP) privacy policy (hat tip:someone), "... it will also be necessary, in order to provision the service to you [prole] to share the personal information we [Verizon] collect, as described above, to companies that perform services on our behalf as follows ... The identity service product is owned by Zentry LLC. Zentry LLC is a US based company who will receive your information in order to issue the identity credential on your request ...".

Verizon will share your personal information with Zentry. And who are Zentry? According to Bloomberg:

And according to FindTheCompany, "Zentry Technology LLC is a small organization in the business services industry located in Salt Lake City, UT. It opened its doors in 2010 and now has an estimated $90,000 in yearly revenue and approximately 2 employees".

When Verizon reappear in GDS's GOV.UK Verify (RIP) firmament you can entrust all your personal information to them and to Zentry if you like so that you can view your driving licence details. It's up to you.

----------

Updated 29.3.16

GDS's claim that Verizon have stopped registering new GOV.UK Verify (RIP) account-holders because they have to update their terms and conditions of business is cheeky. The other Framework 1 "identity providers" all managed to convert to Framework 2 on the fly.

Is the theory that Verizon are still off air because they've been hacked any better as an explanation?

Not necessarily.

Experian were taken to the cleaners, too, like Verizon, please see RIP IDA – 16 June 2014 and Brian Krebs's Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records. Experian are still happily registering new GOV.UK Verify (RIP) victims.


Updated 5.4.16

Here's a snapshot from Verizon's contract with GDS, the bit dealing with key performance indicators:

Before you ask ...

"Availability" means that the on-line Customer facing Services described in paragraph A (Overview) of Schedule 1 (Services) shall be operational and available 24 hours a day, 365 days a year, excluding Scheduled Downtime and shall be samples [sampled?] at intervals of no more than 5 minutes.

... a "measurement window" is seven days and those customer-facing services include:

Verizon haven't provided those services since 7 March 2016, at least four measurement windows ago. This is no mere KPI failure. This is a critical KPI failure, as defined.

And what happens when a provider like Verizon suffers critical KPI failures? Answer, the authority, in this case GDS, may terminate their contract:

The Provider shall at all relevant times meet or exceed the KPIs set out in Table 1 (KPIs) below in performing the Services. The Authority may terminate this Contract under Clause H2 (Termination for Default) in the event that the Provider commits three (3) Critical KPI Failures.

The authority may terminate the contract. They have that right but it's not a duty. Would GDS terminate Verizon's contract just for suffering at least four critical KPI failures? Apparently not.

There's all sorts of other interesting detail available in the Verizon contract. But before we get too excited, this is their Framework 1 contract, which must by now presumably have been replaced with a Framework 2 contract.

The Framework 2 contract is likely to have similar service availability conditions in it. In which case it is relevant to note that, yes, Verizon are still not registering new GOV.UK Verify (RIP) victims.


Updated 6.4.16

Some time today, Verizon reappeared:

"Did you know", they ask, without ever reaching a question mark, ...

... Verizon has customers in 150 countries and manages identity programs for 25 governments. Millions of people across the globe trust their security and personal data to Verizon every day, so you can be confident that we know how to protect you to the highest standards.

"You can be confident that we know how to protect you to the highest standards"? Not very confident. Don't forget Crooks Steal, Sell Verizon Enterprise Customer Data.

Verizon have been closed to new GOV.UK Verify (RIP) victims for the past month or so. Why?

It's because they've been "preparing their service under the new contract", GDS told us on 8 March 2016.

That's not what Verizon told Neil Merrett yesterday:

"We have been working to make sure that the platform gives the best results possible. We have been introducing two new mobile features to make our service more mobile friendly."

Neither proposition explains taking Verizon's registration service down for a month.

If you want to register with Verizon, you're on your own. Even though "there's no charge for this service" and Verizon has "met security standards set by government", DMossEsq couldn't find a single volunteer prepared to try it out:

• Verizon fined just $1.4m for stalker supercookies
• German government terminates Verizon contract over NSA snooping fears
• "We see ourselves as an ad platform that helps brands and consumers connect"
• "Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site"

GDS may want to lure you in but why take the risk?

Especially if next time Verizon go on holiday you might find your identity, and thus your existence, suspended for a month.


Updated 9.12.16

Verizon is one of the "identity providers" for GOV.UK Verify (RIP).

At least, they're meant to be.

Nine months ago, Verizon disappeared without convincing explanation. A month later, they re-appearaed without convincing ditto.

That doesn't inspire confidence.

We, the public, need to feel that GOV.UK Verify (RIP) is stable.

So do the "relying parties", i.e. the likes of the Driver and Vehicle Licensing Agency (DVLA). They need to know that we are who we claim to be when we connect to the on-line public services they operate.

How are the relying parties supposed to feel confident in the assurances of the "identity providers" that we are who we say we are when "identity providers" themselves can just whimsically come and go.

Verizon – now you see them …

You might get away with it once. But not twice. And you know what? Verizon disappeared again, in July. What's more, they still haven't re-appeared five months later.

… now you don't.

Will Verizon be back again?

In time for Christmas?

Will the Government Digital Service ever deign to explain to us, their parishioners, what on earth is going on?

And can you see why sensible relying parties are sticking to the Government Gateway?

RIP IDA – Verizon

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

The Government Digital Service (GDS) claimed until recently that they had nine "identity providers" through whom we proles could register an account with GOV.UK Verify (RIP).

Then PayPal bolted. One minute you see them. Next minute they're gone.

PayPal gave no explanation. Neither did GDS.

Whatever, GDS were then down from nine to eight "identity providers". Or should that be seven?

An open address register

First he was the director of open data and transparency. Then director of open data and government innovation. Now Paul Maltby is director of data at the Government Digital Service (GDS) and yesterday he blogged about An open address register:

The UK government is regularly recognised for being a global leader in making public data openly available. Ministers have committed to being the most transparent government ever. We are determined to make sure that we keep producing high quality data and that we make it as accessible as possible ... Data has become a part of our core national infrastructure, and a huge driver of innovation ... Registers, canonical lists of core reference data, are at the forefront of the government’s effort ... GDS Data Group and the Department for Business, Innovation and Skills (BIS) are working in conjunction with a range of other stakeholders to explore how to fully exploit the benefits of open and freely available address data ...

All these predicates may have disappeared from his job title but Mr Maltby wants us to know that he's still in favour of openness and transparency and that he still sees a connection between making data open and inspiring innovation, which in turn will cause the economy to grow. That reference to registers also alerts us to his support for Government as a Platform (GaaP).

We know that GDS believe that GaaP would reduce the budget deficit by £35 billion p.a. and that GaaP could get rid of 1½ million useless public servants. All that's needed is for there to be a set of "canonical" registers, which constitute a "single source of truth".

We also know that GDS fall in with the belief that innovation is caused by data being open, a belief we refer to as "the magic of open data".

They're hypotheses really, not beliefs. There's a lot of evidence to the contrary about both GaaP and the magic of open data and little evidence in favour. We know that, too.

So why is Mr Maltby re-affirming his commitment to these unproven hypotheses now? Answer, there's money at stake, please see para. 2.324 in the UK's 16 March 2016 Budget: "The government will provide up to £5 million to develop options for an authoritative address register that is open and freely available".

We already have an "authoritative address register". It's called the "postcode address file" (PAF) and it's maintained by Royal Mail plc.

The public sector doesn't need to spend £5 million of our money "developing options" to create another one.

But a lot of people want to.

Professor Sir Nigel Shadbolt of the Open Data Institute and Stephan Shakespeare of YouGov, for example.

They're both convinced that it was a terrible mistake to let Royal Mail take the PAF with it when it was privatised. They even managed to convince the normally sensible Hon Bernard Jenkin MP, chairman of Public Administration Select Committee, that it was a mistake.

Why do they think it was a terrible mistake? Because, if postcodes aren't freely available to everyone who wants them, then there will be no innovation and the economy will shrivel. Not proven.

ComputerWorld UK also are up in arms:

The government’s (now defunct) Open Data User Group described national addresses as “the single most fundamental set of core-reference data we can identify” in a February 2013 paper. It argued making the data openly available would improve transparency, boost public sector efficiency, improve economic growth as the data can be used by businesses and reduce the cost and complexity of licensing ... It will unlock an estimated £110 million of value for UK businesses, charities and government.

Before it was closed, the Open Data User Group (ODUG) was of course entitled to describe the PAF in any hyperbolic terms it chose. The fact remains that the PAF is still available to the nation. Take a look. We haven't been deprived of it.

The claims made for transparency, efficiency, economic growth and complexity are still unproven. And ODUG's estimate of the value it could unlock is no more than an estimate.

If we go back to 2013 and the glory days of ODUG we find the claim made that Royal Mail's monopoly of postcodes would increase its profits. Also:

... a potential investor is likely to view the persistent debate about the ownership and future of PAF as a risk factor which will deter them from investing in the Royal Mail.

In which Australia gains global competitive advantage by treating address data as civic infrastructure. https://t.co/F1txAEYwJr — Tom Loosemore (@tomskitomski) February 28, 2016

@tomskitomski *so* good — Janet Hughes (@JanetHughes) February 29, 2016

@JanetHughes @tomskitomski Sharing the family silver instead of selling it. — Allon Lister (@allonlister) February 29, 2016

@allonlister @tomskitomski giving the family its silver back, or just not taking it off them in the first place... — Janet Hughes (@JanetHughes) February 29, 2016

While you're trying to work out whether ODUG thought Royal Mail was a high return investment or a low one, let's move on to bank account numbers, mobile phone numbers, email addresses and IP addresses, four more of the "single most fundamental set[s] of core-reference data" that should be under government control.

“When the UK Government privatised the Royal Mail it lost control of address data". That's what Peter Wells of the Open Data Institute told ComputerWorld UK. Presumably he would prefer to see bank account numbers, mobile phone numbers etc ..., also under government control.

Him and Mr Maltby, too. Those registers. They want everything in there. And in their view it all has to be under government control.

GDS have established a Register Design Authority, they tell us. If some ghastly profit-making organisation happens to create a useful register, GDS could exclude it from the single source of truth.

They think they can control the truth.

They also think they understand markets and that they know how to create them and regulate them.

They also think they're experts on property ownership. They think they can take property away from one person and give it to another without causing anxiety – anxiety in the recipient, for example, that if the Lords of Truth can expropriate once they might develop a liking for it and do it again. And anxiety among innovators generally. If their invention works, will it be taken away from them and added to the single source of truth? In which case, what's the point?

And the Chancellor thinks he knows how to allocate resources. £5 million to fund an unnecessary competition between the public sector and the private sector.

----------

Updated 25.3.16

Tony Collins and others have just won a Freedom of Information case brought against the Department for Work and Pensions (DWP).

Instead of hiding the sad truth for years, DWP should now disclose a lot of the Universal Credit project management documentation.

DWP may continue to behave as though it is above the law and unbound by common sense and common decency. But if not, then one of the documents it should publish is the Universal Credit risk register.

And where better to publish it than on Mr Maltby's open, transparent, innovation-causing, economy-expanding canonical register platform?

Updated 31.3.16

Sir Jeremy Heywood, head of the UK civil service, devoted a lot of his 2015 review to diversity and inclusion.

Work on D&I has been going on for years throughout Whitehall, not least in the Cabinet Office, please see LGBT – history, religion and faith:

As the Cabinet Office LGB&TI Diversity Champion, making the department one of the most inclusive and diverse organisations in government is something I care passionately about; and that sentiment is shared by my executive committee colleagues.

That was written by Stephen Foreshew-Cain, executive director of the Government Digital Service (GDS), who later wrote GDS and gender diversity at conferences and events:

... no-one from GDS will take part in a panel discussion of two or more people unless there is at least one woman on the panel, not including the chair ... This is not tokenism. This is important. This is us doing our bit, and taking action.

Far from tokenism, yesterday GDS pulled out of an international conference on agile software engineering:

I recently made a commitment to gender diversity at events. @gdsteam stands by it. We are reassessing our commitments and (1 of 2) — Steve Foreshew-Cain (@s_foreshew_cain) March 30, 2016

…we will not attend events that don’t reflect our values, including @agiliaconf, which we will not now be speaking at (2 of 2) — Steve Foreshew-Cain (@s_foreshew_cain) March 30, 2016

"We will not attend events that don't reflect our values". Who is we? What does attendance amount to? What is an event? What is reflection? What are our values?

Sometimes the answers are just obvious. When they're not, there will be disagreement. That will divert resources away from meeting user needs, which is GDS's lodestar.

How to avoid that dissipation of resources? How to make it clear whether GDS will attend a conference or not? Should GDS appear on platforms like Twitter alongside people who don't "reflect our values"?

GDS need a definitive list of "our values". An agreed, authoritative and complete list. Curated and canonical. GDS need a register of values.

And not just GDS. The whole civil service. Will Sir Jeremy's 2016 review include the promulgation of Whitehall's values register?


Updated 1.4.16

"Smash the silos"

Focus on users & communities this is going to be fascinating cc @s_foreshew_cain https://t.co/llqGeDhCzq — Fitz (@Fitzdigitalgov) April 1, 2016

And the answer is to smash the silos. One to watch for for sure... @Fitzdigitalgov @kitterati @JanetHughes — Steve Foreshew-Cain (@s_foreshew_cain) April 1, 2016

More on "our values" on Twitter today, please see the valorous manly tweets alongside.

Looking back at GDS's Getting from data to registers, we see:

The Register Design Authority And that’s the focus of the Register Design Authority, which sits in the GDS data group - making sure that registers accurately and helpfully reflect the interconnectedness of government data. This team has domain control for the register.gov.uk domain. It will work with the register custodians who are responsible for running registers and are the domain experts, to ensure that the data in their registers is modelled in ways that meet users’ needs, and work with other registers in the government data ecosystem. This is how we will avoid unhelpful and confusing replication of data and ensure that registers really are trustworthy.

That Register Design Authority, sitting in the GDS data group, with its domain control and responsibility and expertise, claiming in the name of trustworthiness to avoid unhelpful and confusing replication in the ecosystem – it's a classic Whitehall silo and needs presumably to be smashed. That's "our values".

An open address register

First he was the director of open data and transparency. Then director of open data and government innovation. Now Paul Maltby is director of data at the Government Digital Service (GDS) and yesterday he blogged about An open address register:

The UK government is regularly recognised for being a global leader in making public data openly available. Ministers have committed to being the most transparent government ever. We are determined to make sure that we keep producing high quality data and that we make it as accessible as possible ... Data has become a part of our core national infrastructure, and a huge driver of innovation ... Registers, canonical lists of core reference data, are at the forefront of the government’s effort ... GDS Data Group and the Department for Business, Innovation and Skills (BIS) are working in conjunction with a range of other stakeholders to explore how to fully exploit the benefits of open and freely available address data ...

All these predicates may have disappeared from his job title but Mr Maltby wants us to know that he's still in favour of openness and transparency and that he still sees a connection between making data open and inspiring innovation, which in turn will cause the economy to grow. That reference to registers also alerts us to his support for Government as a Platform (GaaP).

RIP IDA – UK First Government to Offer U2F-Secured Digital ID

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

We told them. On 16 April 2015. Please see RIP IDA – what they omitted from the obituary:

Where's the nationwide information campaign? Normal people have never heard of GOV.UK Verify (RIP). GDS want the system to be live in a year's time, by April 2016. Some time soon GDS are going to have to tell 60 million people what GOV.UK Verify (RIP) is. And how it works. And why they should use it.

GOV.UK Verify (RIP) is due to go live next month. April 2016. Maybe nine days away. And still there's no attempt to tell the public what's going on.

Why this reticence?

Google never mounts a campaign to launch a new service. So the Government Digital Service (GDS) shouldn't either. But GDS isn't Google.

-----  o  O  o  -----

We told them. On 3 February 2016. Please see RIP IDA – interview tips:

Do not be embarrassed by the fact that you have never created an ecosystem in your life and do not be embarrassed by the fact that you don't have a clue how to regulate a market. Your interviewers won't ask you about that and you shouldn't ask them about their experience either.

GDS have never created or regulated a market in their lives. And it shows.

-----  o  O  o  -----

The London Stock Exchange regulates its market. Among other things, they operate a regulatory news service, RNS. GDS could have learnt from that.

Instead, they rely on the haphazard use of Twitter to tell the public what's going on in GOV.UK Verify (RIP)'s intensive care unit.

Sometimes new "identity providers" are fulsomely welcomed on board, e.g. Barclays. Sometimes GDS forget to welcome them, e.g. Morpho. That wouldn't happen with an experienced RNS.

There are 100 companies in the FTSE-100. When a new one joins and an old one leaves, that's big news on RNS. For a long time now, there were supposed to be nine GOV.UK Verify (RIP) "identity providers". Then PayPal pulled out. Explanation from GDS? None.

GDS still list eight GOV.UK Verify (RIP) "identity providers" – Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. But Verizon have been closed to new business for over a fortnight now. "More news on this soon", said GDS on 8 March 2016. Since then? Nothing.

A London Stock Exchange marketmaker has to promise to make a market. Otherwise, they lose their membership of the Exchange. They can't just suddenly stop trading. There have to be bid and offer prices on which they will trade at all times. Verizon have stopped "making a market" for over a fortnight. And the consequences? As far as we know, none.

All companies with a full listing on the London Stock Exchange have to abide by the same Exchange rules. That's how you run an orderly market.

With GOV.UK Verify (RIP), some "identity providers" are certified trustworthy by tScheme and some aren't. Why should the certified companies bother to go to all the hard work of obtaining approval if GDS, their regulator, lets other companies operate without approval?

Digidentity, Experian, GBGroup and Verizon are certified trustworthy by tScheme. Barclays, Morpho, PayPal, Post Office and Royal Mail aren't. It's a recipe for creating unhelpful tension in what should be an orderly market.

If you open an account with a London Stock Exchange member to buy and sell shares, you expect it to be straightforward – what you see is what you get. Your account with Barclays Stockbrokers, for example, is an account with Barclays Stockbrokers, not someone else.

Far from straightforward, if you register with GOV.UK Verify (RIP) using Barclays as your "identity provider", it turns out that they rely on Verizon. And if you think you've registered using Royal Mail as your "identity provider", think again. Royal Mail have their accounts managed for them by GBGroup. There's some sort of a tie-up between Digidentity and Post Office as well.

Just who are you dealing with? It's far from clear.

That's not helped when Morpho call themselves "SecureIdentity" and GBGroup call themselves "CitizenSafe".

You've never heard of most of them, have you. Because GDS have never told you anything about them. And yet GDS expect you to trust them all equally, all nine eight seven "identity providers". GDS expect you to trust them with your identity.

The public are being lured into a chaotic identity assurance system, GOV.UK Verify (RIP).

Thanks to our work w/ @Digidentity_UK, @GOVUKverify is first gov service to adopt FIDO #U2F #CyberSecurity standards https://t.co/6I0rofVTeP — Yubico (@Yubico) March 23, 2016

Take for example a tweet that appeared this morning out of nowhere from a company no-one had ever heard of, Yubico.

Apparently, if you're registered by Digidentity, you could also be dealing with Yubico, did you but know it.

Some of the time, GDS think we're all idiots. Some of us can't handle apostrophes or even capital letters and GDS promise that in everything they write no-one will be excluded.

These same people, defeated by capital letters, are meant to be able to make a sensible choice between Royal Mail/GBGroup/CitizenSafe, Barclays/Verizon and Digidentity/Post Office/Yubico.

Here's what Yubico had to tell us this morning. With no public information campaign by way of preparation, who knows what the capital letters-challenged members of the population or anyone else is supposed to make of it?

The UK has spent the past five years on a digital transformation that is setting a world standard [only time will tell, the rest of the world may say thank you but no thanks] for how citizens securely interact with government online services. The UK’s Government Digital Service (GDS), which came online in 2011, will add in a few weeks a new verification service called GOV.UK Verify [RIP] to this impressive project [this impressive project described by the ex-deputy director of GDS as putting lipstick on pigs]. Digidentity is one of the original identity providers (IdP) for GOV.UK Verify [RIP] and will offer support for the YubiKey and the Universal 2nd Factor (U2F) protocol [what's that then?]. UK citizens can now use a YubiKey as a second authentication factor to access their Digidentity accounts [but GDS said GOV.UK Verify (RIP) is already secure, do you need a YubiKey as well to make it really secure, are the other IdP services less secure because they don't use YubiKeys?], while the country rolls out the first government service in the world to support U2F. This is an important milestone for both citizens and governments looking to leverage identity data [you weren't looking to leverage identity data, were you, you just wanted to submit your tax return] to secure services while safeguarding privacy. The combination of secure authentication and federation/single sign-on is required for digital services to scale. GOV.UK Verify uses a host of identity providers who validate a citizen’s personal data, store that data [and share it out of your control with several other organisations anywhere in the world], and verify the user is who they say they are when they attempt to access government digital services. The IdP’s [bit of apostrophe trouble there] are part of an identity federation established as part of GDS. The GOV.UK Verify program has been running in beta for the past 18 months [25 months]. The program supports 13 services [9 services according to GDS, 8 if you discount rural payments, which doesn't exist] spread over five government departments, but it will have 50 services [time will tell] and 10 departments signed up when GOV.UK Verify goes live in early April. The service will support 90% of the UK’s adult population [66% account creation success rate at the moment but there are a few days left for that to improve], according to the UK government. “UK citizens can easily purchase a FIDO U2F device online and register it with Digidentity, [how easily? how much does a FIDO U2F YubiKey cost?]” says Marcel Wendt, Digidentity CTO and co-founder. “With a quick online process, the user’s identity is verified [does Digidentity not work, then, without a YubiKey?] and tied to the U2F device, and the data is encrypted to safeguard a user’s privacy [otherwise we have no privacy?].” Today, verifying identity is mostly done via manual processes [possibly because, when it's important, that's how it has to be done], such as asking people to send identity evidence via snail mail or show ID in-person at a counter service. Those are cumbersome and time-consuming tasks [no snail mail involved when you opened your Amazon account, was there? What are Yubico talking about? There was no snail mail because Amazon piggy-back on the work done by your credit card supplier who piggy-backs on the in person work done by your bank] for people needing access to online services using their digital identity credentials. To authenticate to GOV.UK Verify using Digidentity with FIDO U2F, the user inserts a U2F YubiKey device into their computer’s USB port, and then touches the device [if I insert your YibiKey and touch it, does that mean I am you?]. There are no drivers or client software to install [but will it fill in your tax return for you?]. Later this year, U2F authentication via Near Field Communication (NFC) and Bluetooth will be supported by Digidentity for secure login from mobile devices. Digidentity’s ground-breaking IdP service with strong authentication is another example of how Yubico helps secure online identities and innovates to make those identities easier to use and and available to everyone [do you want to be available to everyone?].

Best of luck to Sir Jeremy Heywood. And the British public.

----------

Updated 31.3.16

One of the goals of the GOV.UK Verify (RIP) identity assurance programme is to "grow a new market for identity services in the UK".

CitizenSafe announced the other day that GOV.UK Verify (RIP) is replacing the Government Gateway. In an orderly market the case of the Government Gateway, that announcement should come from a politician or from an official, not from a £2 dormant company no-one has ever heard of.

The Government Gateway is used by companies to submit their annual returns and accounts to Companies House and to submit their tax returns to HMRC. GOV.UK Verify (RIP) can't verify companies. GDS confirm that doing so is "not currently on our roadmap". So CitizenSafe are wrong – GOV.UK Verify (RIP) can't replace the Government Gateway.

Is the announcement made by UKAuthority.com any more reliable?

They suggest that the introduction of two-factor authentication (2FA) by using YubiKey (please see above) with GOV.UK Verify (RIP) is a good thing. It puts GDS up there with Google and Dropbox. ieg4, whoever they are, are equally enthusiastic.

But GOV.UK Verify (RIP) has had 2FA from day one. Copied from the UK retail banks who've been doing it for years, account-holders have to enter a one-time password texted to their mobile phone. Why are UKAuthority.com and ieg4 and Digidentity pushing the unknown YubiKey?

Do GDS endorse YubiKey?

Even if they do, Yubico's terms and conditions of business say, in capitals: "F. Warranty Disclaimer. EXCEPT AS EXPRESSLY PROVIDED HEREIN, YUBICO PROVIDES THE PRODUCT AND THE YUBICLOUD “AS IS”. BY USING THE PRODUCT AND/OR YUBICLOUD, USER ASSUMES ALL RESPONSIBILITY AND RISK OF USE OF THE PRODUCT AND/OR YUBICLOUD WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT".

The wrong people seem to be making the wrong announcements in GDS's new market for identity services in the UK.

GDS have lost control before their market has even opened and long after everyone else like the banks is/are up and running with tens of millions of account-holders and years of successful experience.

For some reason GDS want to drop millions of people who can't handle apostrophes or even capital letters (please see above) into this pit. How are they supposed to decide whether to buy a YubiKey? Is it unsafe to use GOV.UK Verify (RIP) without a YubiKey?

When? When do GDS think it's sensible to go live with GOV.UK Verify (RIP)? "Early April". That could be as early as ... tomorrow.


Updated 8.4.16

GDS have never created or regulated a market in their lives.

And it shows.

GDS are forever changing the GOV.UK Verify (RIP) registration dialogue.

They have recently introduced the following screen:

Three of their "identity providers" can verify you now, they say. The other five are useless – they are unlikely to be able to verify you based on your answers.

This is blatant nonsense – DMossEsq has been verified by no less than four of the "identity providers" deemed by GDS to be useless.

Talking nonsense doesn't help GDS to operate an orderly market. Neither does promoting the interests of three of its suppliers ahead of the other five.

If you're in any doubt, incidentally, which are the useless five "identity providers" according to GDS, click on Show all companies and you'll see:

Five useless GOV.UK Verify (RIP) "identity providers"

Update 12.4.16

This morning, Computer Weekly magazine told us that UK cyber crime growing exponentially. This afternoon, the BBC told us that Security snapshot reveals massive personal data loss.

No news there. Everyone knows the web is a dangerous place to do business.

And everyone knows that the security measures adopted to protect us users can themselves breach our security – there was ElReg last Friday, telling us that US taxmen pull plug on anti-identity-theft system used by identity thieves:

When the IRS [US Internal Revenue Service] admitted last month that 700,000 people's old tax returns – which are full of sensitive personal information – had been sent to scammers, it enrolled those affected in the PIN system. In total this year, the IRS has issued 2.7 million PIN codes. But the scammers got wise, and used 800 of them to file fraudulent tax returns to redirect people's refunds to the criminals' bank accounts. Now the IRS has stopped the system.

How long before the YubiKeys (please see above) being sold to protect users of GOV.UK Verify (RIP) over the YubiCloud turn out to be used by fraudsters to unlock your personal information?

And how long before the UK's Government Digital Service stops luring victims into GOV.UK Verify (RIP) with its irresponsible claim that it's "secure"? Without qualification, just "secure":